[anti-abuse-wg] Draft Minutes - RIPE 63

Colleagues,
These are the draft minutes from RIPE 53, apologies for the delay, the
lovely folk from the NCC had them a while ago, I was just slow in
reviewing them and passing them on. As always, please let me know if you
have any comments or corrections:
RIPE Anti-Abuse Working Group: Draft Minutes – RIPE 62
Thursday, 4 May 2011
14:00-15:30
Co-Chairs: Brian Nisbet and Tobias Knecht
Scribe: Fergal Cunningham
Chat Monitor: Sandra Brás
A. Administrative Matters
–Welcome
Working Group co-Chair Brian Nisbet welcomed attendees. He thanked the
scribe, chat monitor and stenographer, and he asked that those asking
questions clearly state their name and affiliation.
–Approve Minutes from RIPE 61
Brian noted that there were some initial comments and the minutes were
updated accordingly. He asked if there were any further comments. There
were none and Brian deemed the minutes from RIPE 61 to be formally approved.
–New Working Group Co-Chair
Tobias Knecht was formally approved as the new Anti-Abuse Working Group
co-Chair. Brian said that Tobias would help to resurrect the best common
practice document process. Brian said two documents would be produced –
an administrative document and a technical document.
–Finalise agenda
There were no additions to the agenda.
B. Update
B1. Recent List Discussion
Brian noted that there was a lot of discussion in the past few months.
He said the Abuse Contact Task Force was addressing some issues and some
were being addressed by the ripe-517 Closure and Deregistration
document. He proposed that the working group not delve into those issues
at that time.
B2. Admin Tools for Blackhole Administration - Ingvar Mattsson, Google
The presentation is available at:
http://ripe62.ripe.net/presentations/155-blackholeslides.pdf
David Freedman from Claranet said this approach was to be commended. He
said he had a similar in-house tool and if anyone wanted to know more
about that he could show them afterwards. He said the main problem is if
prefixes are not reaped and remain in blackholing. He said the support
team needs to be aware of what’s going on and it must be done in an
intelligent way.
Ignvar asked if it was more pleasant to use blackholing and David said
it was.
B3. Arbor 2010 Infrastructure Security Report - Darren Anstee, Arbor
Networks
The presentation is available at:
http://ripe62.ripe.net/presentations/88-Darren-Anstee-AA-RIPE-2011-DDoS_Trends.ppt.pdf
Ian Meikle, RIPE Measurement, Analysis and Tools (MAT) Working Group
co-Chair, noted that Darren would talk about the ATLAS initiative at the
MAT Working Group session.
Wout de Natris, Chair of the Cybercrime Working Party, asked if the rise
of DDoS attacks was down to criminal or political reasons.
Darren said he was not sure. He thought there might be a fair mixture of
both, but he said people could look and draw their own conclusions.
Wout said he attended a meeting on botnets, where it was noted that
attacks from mobile devices were not a problem yet. He asked if this was
becoming a problem.
Darren said more attack traffic was coming from mobile devices. He said
Symantec have seen a growth in malware targeted at smart devices and it
is probably only a matter time before we see attacks coming from smart
devices.
Wout asked if Darren had tips for developing countries.
Darren said diagnostic ACLs and flow tools could be used if these
countries did not want to use commercial products to detect DDoS attacks.
Daniel Karrenberg, Chief Scientist at the RIPE NCC, asked if on the Port
53 attacks there was any differentiation on whether the attack traffic
was queries or responses.
Darren said there was not.
Daniel asked for more details, saying it would be interesting to see how
the relative proportion was reflected in the attacks. He said he
suspected a fair amount of reflection was going on.
Darren said he would be asking what people wanted to see from the Atlas
initiative, and he said this is one area they would be looking at.
Paul Germano, Google, asked if the data received was just megabits per
second and Darren said this was indeed the case.
C. Policies
–Abuse Contact Management Task Force
Brian said that the three proposals (2010-08, 2010-09 and 2010-10) that
were presented at RIPE 61 were withdrawn and that the Abuse Contact
Management Task Force was formed to look at the issues or concerns in
the three proposals. Brian gave an update from the task force, which is
available at:
http://ripe62.ripe.net/presentations/175-acm_tf_ripe62.ppt
Brian asked if there were any questions. There were no questions, and
Brian took this to be approval to continue with the work of the task force.
D. Interactions
D1. Working Groups
Brian said the Database Working Group was the one the Anti-Abuse Working
Group interacted with the most. He said that the main interaction with
that group currently was concerned with the work of the Abuse Contact
Management Task Force.
D2. Cybercrime Working Party Update - Wout de Natris
(No presentation was uploaded)
Wout de Natris, Chair of the Cybercrime Working Party (CCWP), described
the meetings he attended and presented at on behalf of the CCWP. He said
that the main area the CCWP was looking into was training law
enforcement agencies (LEAs) on the use of tools and databases that would
help them in their work. He said a template for information requests
would be created to send requests to the RIPE NCC. He said a list of LEA
contacts would enable LEA officials to easily contact each other and
share experiences. He said LEAs would look at coming up with a list of
topics that they would want to discuss with the RIPE community.
Wout asked the RIPE community what it would like to discuss with LEAs.
He said people should bring issues to the CCWP if they wanted
clarification from LEAs.
Wout concluded by noting that the CCWP was making progress, and he
reiterated that the process was a two-way street. He said LEAs could use
the group to bring forward their concerns and the RIPE community could
do likewise.
Frank Salanitri, APNIC, said APNIC’s IRT object contact address received
up to 30,000 abuse mails and that it was impossible to check these on an
individual basis. He suggested they might be used for IP reputation
services. He said, potentially, they could show the most abused
allocations and the countries the abuse came from. He said this
information could be logged in a database that could be made available
to researchers.
Wout asked if APNIC had contacted the Australian and New Zealand active
anti-spam LEAs.
Pablo Hinojosa, APNIC Public Affairs Officer, said APNIC was
corresponding with these groups and was actively looking for ways to
increase cooperation.
D3. RIPE NCC Government/LEA Interactions Update
Brian said a number of things have happened to give encouragement to
RIPE and the RIPE NCC’s interactions with LEAs. He said the engagement
of LEAs with the RIPE community has increased, and they have shown a
greater understanding of the issues at hand. He said LEAs recognised the
need to keep a good registry database.
Brian said LEAs were happy with RIPE Policy Proposal 2010-06 on
registration of IPv6 in the RIPE Database.
He said the RIPE NCC procedural document, ripe-517, on closure and
deregistration of LIRs was a positive step because it reduces the
ability to abuse mechanisms there.
Brian added that they also talked about what is likely to happen
following the exhaustion of the IPv4 address pool. He said interaction
with both LEAs and government agencies would continue.
Brian noted that there are issues being discussed on the RIPE Address
Policy Working Group mailing list that the Anti-Abuse Working Group
should look at. He said the RPKI discussion should be of particular note
and he asked everyone to pay close attention to these issues.
X. AOB
There was no other business to attend to. Brian asked for items for RIPE
63. He noted that Tobias would talk about the best common practice
documents at RIPE 63 and he promised to have those documents posted to
the mailing list. Brian thanked the attendees and said he looked forward
to the next meeting in Vienna.
Recordings of all presentations and discussion in the RIPE Anti-Abuse
Working Group session at RIPE 62 are available at:
http://ripe62.ripe.net/archives#Thursday